Nearly 35,000 Mainers affected by TD Bank security breach

Nearly 35,000 Mainers may have had their personal information — including Social Security and bank account numbers — compromised during TD Bank’s March security breach.

In a letter to the Maine attorney general’s office dated Oct. 5 and received Oct. 11, TD Bank’s chief privacy officer acknowledged that two computer data backup tapes went missing while they were being shipped to a TD Bank location. The letter said the tapes may have included not only names, addresses, Social Security numbers and bank account numbers, but also dates of birth and driver’s license numbers for 34,907 Mainers.

TD Bank’s notice to customers did not mention that dates of birth and driver’s license numbers may have been among the missing data. Both pieces of personal information can make identity theft easier.

The breach affects customers throughout TD Bank’s East Coast coverage area, from Florida to Maine. TD Bank spokeswoman Rebecca Acevedo has declined to say how many customers were affected overall, but the bank’s letter to the Maine attorney general’s office, which details the number of Maine customers affected, was obtained by the Sun Journal as a public document.

Although the breach occurred in March, TD Bank did not begin notifying customers until a couple of weeks ago. Acevedo said the bank held off as it conducted an internal investigation. That investigation is ongoing and the bank has contacted Massachusetts law enforcement, as well.

TD Bank officials say there was no indication the data had been misused.

Maine law requires companies to notify the state, as well as customers, of security breaches. TD Bank sent out notification letters Oct. 3 to affected Maine customers. Although letters continue to to be sent to customers in other states, all affected Maine customers should have been notified by now. Only affected customers got letters.

Some customers have complained that TD Bank should have told them sooner that their data was lost, putting them at risk of identity theft. It is unclear whether such a delay is allowed. Maine law permits businesses to conduct investigations before notifying customers of security breaches, but notifications must be made “as expediently as possible and without unreasonable delay.”

Officials with the consumer protection arm of the attorney general’s office were unavailable for comment Thursday. That office could help gauge whether TD Bank’s notification was made expediently and “without unreasonable delay.”

TD Bank has offered to transfer funds in affected accounts to new accounts and to provide affected adult customers with a year’s worth of free credit monitoring.